Best Practices for Preventing Infant Abductions in Healthcare

According to the National Center for Missing and Exploited Children (NCMEC), between 1964 and 2021, there have been 335 infant abductions, with 140 of those abductions from healthcare facilities. The Joint Commission and the National Integrated Accreditation for Healthcare Organizations (NIAHO), or DNV, set performance standards for protecting infants from abduction. 

The Joint Commission is under the Environment of Care (EC), and DNV is under the Physical Environment (PE). The Centers for Medicare and Medicaid Services (CMS) establishes regulations on healthcare facilities (HFC) to safeguard patients. Compliance with these regulations is necessary for hospitals to receive federal funding and reimbursements. The loss of an infant creates significant adverse consequences for a hospital, including:

• Potential lawsuits.
• Regulatory penalties.
• Loss of accreditation.
• Significant financial damage.
• Loss of public trust.
• Negative media coverage.
• Decreased patient confidence.
• Potential long-term reputation harm.
• Increased security costs.
• Mandatory security protocol reviews.
• Potential staff retraining.
• Psychological impact on staff and patients.
• Traumatic experience for family.
• Potential long-term emotional distress.
• Loss of patient/family confidence in a healthcare system.

This article offers three sources of guidance to optimize a facility’s infant abduction posture because each item is good but not optimal without the others. The first key resource organization is NCMEC. NCMEC is a premier resource for law enforcement and the healthcare industry about the topic of infant abductions and offers comprehensive guidance in its 10^th edition of “Guidelines on Prevention of and Response to Infant Abductions.” NCMEC classifies recommended mitigation strategies as essential or highly recommended. From a litigation perspective, this can put hospitals in a tricky spot if security measures fall short if an incident occurs and the guidelines' essential elements are not implemented when they are so freely available.

The International Association of Healthcare Safety and Security publishes the second essential document on infant abduction. This organization provides an array of member-only guidance for a very reasonable annual membership fee. One such document is 05.08.01 Infant Pediatric Abduction Response and Prevention, which builds on the NCMEC guidelines and is a must-have for healthcare security practitioners with some additional recommended mitigation strategies.

While the NCMEC and IAHSS Guidelines are valuable, they do not fully optimize security without applying fundamental physical security principles. These principles recognize that many crimes occur within minutes or seconds, requiring a program that enables rapid detection, assessment, response, and intervention. A comprehensive program based on established guidelines can fail without a robust physical security approach.

Strategy #1 – NCMEC Guidelines on Prevention of and Response to Infant Abductions (10th Edition)

The NCMEC Guidelines aim to provide comprehensive strategies for preventing and responding to infant abductions in healthcare settings, addressing critical security measures for protecting newborns and supporting families. This article will focus on prevention measures, which is the primary mission of a “physical security department.” Key prevention strategies include:

Prevention – Effective Physical Security

•  Implement restricted access to maternity and newborn units. People with no legitimate need for access should not be permitted to walk onto the unit and have access to infants and family members. Note that concerning access control, the Joint Commission EC expects the hospital to control access to and from areas it identifies as security sensitive (which should include mother and baby areas). BPS recommends that egress points are always secured according to code and not just trigger a locking of the opening if an infant with an RFID tag is close to the door. This condition typically requires an egress card reader and a delayed egress device.
• Electronic surveillance should be conducted on both sides of each perimeter opening to capture entries and egress activities at a forensic level of quality. While NCMEC does not stipulate the specific resolution, facilities should strive for 40-60 pixels per foot.
•  Use color-coded badges for authorized personnel. This will better differentiate unauthorized persons who may piggyback or tailgate into restricted units.
•  Electronic access control systems should include propped or forced open door alarms alerting security or unit personnel in real-time and effective response and investigative protocols in place to secure the unit and confirm that an incident has not occurred.
•  Ideally, there would be a single entry/exit point with controlled access for visitors.
•  Implement infant tracking technologies. These systems often include RFID tags, access-controlled and alarmed exits, and real-time location systems (RTLS). Protect elevators and stairwells as a path of egress. If a labor and delivery unit is on the ground floor (not recommended), then emergency exits must also be in the protection scheme. The further away from the ground floor, the longer the permissible response time to apprehend a potential abductor.

Prevention – Staff and Parent Training and Protocols. After physical measures, the staff is the following critical line of defense. Staff training and protocols should include:

•  Conduct comprehensive pre-employment background checks.
• Provide mandatory security awareness training for unit employees. The Joint Commission and DNV also expect this. 
• Include parents in the training program. They play a vital role in carrying out sound practices and protocols for protecting their infant.
• Establish clear identification verification procedures.
• Train staff to recognize potential abduction risks. NCMEC has developed an offender profile, which is not an assurance but a guideline for threat identification and security awareness purposes. 
• Develop consistent reporting mechanisms for actual or perceived threats. 

 Prevention – Identification and Verification Protocols should include:

•  Use multi-factor patient identification.
• Assign unique identification bands to infants and mothers. The goal is to ensure accurate patient matching and prevent potential medical errors during critical early care stages. CMS requires dual identification methods for infants, such as matching ID bands for mother and child, to prevent mismatches.
• Implement systematic parent-infant matching procedures.
• Require additional verification for infant transfers which can be an elevated risk to infant abduction and accounts for 15% of all abductions from a healthcare facility.
• Maintain accurate and updated patient records. 

Prevention – Visitor Management

•  Establish and enforce strict visitation policies. These may or may not include time limitations, but they usually limit the number of visitors per patient to maintain a restful environment for mother and baby.
• Require visitor registration and screening outside of the secure area.
• Limit visitor access to specific areas and internal unit-restricted areas such as medication rooms, nurseries, and Neonatal Intensive Care Units (NICU).
• Implement visible identification requirements.
• Monitor and log visitor movements.

Prevention – Collaborative Approaches

• Engage local law enforcement in the prevention and response protocols, including drills and exercises.
• Develop inter-hospital communication networks to share threats with regional partners when you detect suspicious activity. 
• Share best practices and lessons learned through trade groups such as IAHSS and ASIS International.
• Maintain professional development opportunities for healthcare security professionals to better prepare for these and other low-probability but high-risk scenarios.
• Whether sourced internally or from an independent healthcare security consulting firm, every hospital providing labor and delivery services should be able to provide written documentation confirming that a documented physical security risk assessment and mitigation plan exists. Conduct risk assessments and include a multi-disciplinary group that includes, but is not necessarily limited to, OB, NICU, Pediatrics, the Safety Officer, Security Manager, and the Risk Manager, each providing input in their area of expertise to address actual and potential risks. The risk assessment process should identify vulnerability factors and:Identify high-risk patient populations.
• Assess potential security weaknesses.
• Develop targeted intervention strategies.
• Implement continuous monitoring.
• Create adaptive security frameworks that consider the need to implement additional security measures in dynamic threat situations.

Strategy #2 – IAHSS Guideline 05.08.01 Infant Pediatric Abduction Response and Prevention

There are several similarities between the NCMEC and the IAHSS Guideline, but there are also some differences.

Similarities:

• Security assessment (NCMEC correctly refers to it as a risk assessment while the IAHSS calls it a vulnerability assessment. They are not the same and risk is the better term.)
• Call for policies, procedures, and protocols to prevent and respond to an abduction.
• Training for multi-disciplinary staff in both deterring and responding to abductions.
• Parental/guardian education.
• Use of physical and electronic security measures.
• Standard code (not recommended as plain text versus code pink). 
• Abduction drills. According to the Joint Commission standards and website, they do not require infant/child abduction drills. The standards do require that the organization identifies and implements security procedures that address the handling of an infant or pediatric abduction, as applicable (see EC.02.01.01 EP 9). Conducting an exercise is one method to evaluate the effectiveness of the procedures regarding this issue. It is up to the organization to determine the appropriate actions for successfully implementing the security procedures, and that staff are knowledgeable of those procedures. BPS believes that there is no better way to test the veracity of an infant abduction program than to conduct an unannounced drill, document the results and use an “after-action report” to document lessons learned, update systems and protocols, and retrain as needed. 

Key Differences

• The IAHSS standard is more direct about addressing the issue of studying alarm activations. In 35 years of studying this issue, nuisance alarms desensitize staff and security and delay timely responses to an actual abduction attempt. Failures in design, maintenance, or lack of education and awareness can result in nuisance alarms. Like points made in strategy three below, nuisance alarms can take an otherwise sound program and lead to failure. Root cause analysis, remedial action, and communication with staff and security are vital to countering this condition.
• The IAHSS standard encourages staff to maintain situational awareness of individuals on the unit. While that is easy to say, it is not so easy to do. Refer to this article for more information on the mechanics of achieving a “See Something, Say Something” culture.

Strategy #3 – Application of Sound Physical Security Principles

In our work around infant abduction prevention, we carefully assess each of the unit's physical egress points. We are looking for the shortest possible path to get an infant from the unit into a car or otherwise offsite. We will then measure the time it would take (in seconds typically) to get an infant offsite, and that becomes our basis of design – meaning if prevention is not possible, then detection (via alarming at the door), assessment via the IP video surveillance discussed above, response by security and assigned staff (per the hospital's infant abduction response protocol,) and interdiction (by security, staff or local law enforcement). 

The graphic from Sandia Laboratories illustrates this concept, showing how the physical protection system (PPS) must work in a shorter time than the abductor. If those pieces do not come together in less time than it takes to get the infant off-site, the system will fail.

It is common for pre-code protocols to take a headcount of the infants on the unit to verify that all infants are present. If security is available and not making a simultaneous assessment using the available video, precious seconds and even minutes will be lost. This underscores the importance of minimizing nuisance alarms. When there are minimal alarms, staff will be much more diligent in performing response duties promptly. Consider avoiding anything in a hospital’s response protocol that creates a substantial delay in getting personnel to ground-level exits to intervene and police responding to the site.

Closing Thoughts:

This article presented three sources of industry guidance to optimize a facility’s infant abduction posture. Infant Abduction Prevention requires an integrated security framework. 

Key Guidance Sources:

• NCMEC Guidelines.
• IAHSS Guidelines.
• Fundamental Physical Security Principles.

Critical Considerations:

• Isolated implementation of any single guideline creates an incomplete security posture.
• Rare but high-consequence incidents demand comprehensive mitigation.
• An integrated approach: risk assessment, coordinated strategies, continuous verification. 

An optimal protection strategy requires the following:

• Synthesize multiple guidance sources.
• Implement layered security measures.
• Conduct ongoing risk assessments.
• Validate effectiveness through continuous monitoring, drills, and exercises. 

In summary, we recommend healthcare facilities develop a holistic, multi-sourced security framework that transcends individual guideline limitations. Act now: Protect the most innocent and defenseless patients in your care.